1 Answer
1

File system capabilities in Linux were added to allow more fine-grained control than setuid alone will allow. With setuid it's a full escalation of effective privileges to the user (typically root). The capabilities(7) manpage provides the following description:

For the purpose of performing permission checks, traditional Unix
implementations distinguish two categories of pro‐ cesses: privileged
processes (whose effective user ID is 0, referred to as superuser or
root), and unprivileged pro‐ cesses (whose effective UID is
nonzero). Privileged processes bypass all kernel permission checks,
while unprivi‐ leged processes are subject to full permission checking
based on the process's credentials (usually: effective UID, effective
GID, and supplementary group list).

Starting with kernel 2.2, Linux divides the privileges traditionally
associated with superuser into distinct units, known as capabilities,
which can be independently enabled and disabled. Capabilities are a
per-thread attribute.

If an application needs the ability to call chroot(), which is typically only allowed for root, CAP_SYS_CHROOT can be set on the binary rather than setuid. This can be done using the setcap command: